[Patch 009] httpd for 3.3

Contributed by jose on 2003-10-30 from the fix-your-httpd dept.

A patch for 3.3-stable has been released which addresses a security problem with the Apache web server:

A user with write permission to httpd.conf or a .htaccess file can crash httpd(8) or potentially run arbitrary code as the user www (although it is believed that ProPolice will prevent code execution).

You can find the patch here: 3.3/common/009_httpd.patch .

No word yet on 3.2-stable or any patch for the new 3.4-stable branch.

Update: Patch 004 for 3.4 has been released to fix this problem.

(Comments are closed)

Comments

By Scooter () on 2003-10-30 20:23

This patch is for the 1.3 branch in PKGs. right?

Is the Apache2 running well for everyone? threads not a problem? any comments for the "worker" MPM?

TIA - Scooter
Comments
1. By mirabile () mirabile@bsdcow.net on 2003-10-31 05:10 https://MirBSD.BSDadvocacy.org:8890/
  
  Apache 2.0 won't go into the tree. Not over
  henning@'s dead body.
  
  And I fully ACK that decision.
  Apache 1.3 is already ugly enough, to begin with.
  Comments
  1. By Anonymous Coward () on 2003-10-31 10:43
    
    Apache should just be removed altogether.. It can be supported nearly as well with all our custom patches as a port. Then add an Apache2 port and let the user decide.
    
    Its simple really..
    
    Comments
    
    By Pablo M�ndez Hern�ndez () ciph3r@telefonica.net on 2003-10-31 13:17 www.citfi.org
    
    If you don't want to have apache in your system, you can do your own release:
    
    $ cat /etc/mk.conf
    SKIPDIR+= usr.sbin/httpd
    
    ... will do that for you.
    
    (I really apreciate henning@'s work with apache and don't do that on my machines)
By dlg () dlg@dorkzilla.org on 2003-11-02 01:56 http://www.dorkzilla.org/~dlg

the 3.3 patch applies cleanly to the 3.2 source. just follow the instructions as you would for 3.3.
By Gerardo Santana G�mez Garrido () santana at openbsd.org.mx on 2003-11-02 10:48 http://www.openbsd.org.mx/~santana/

I just wonder why the patch was made from /usr/src/usr.sbin instead of /usr/src as always.
Comments
1. By Henning Brauer () henning@ on 2003-11-16 00:36 mailto:henning@
  
  because... because... because... I just did it that way ;-)
  sorry, didn't think about that.
By chris humphries () chris@unixfu.net on 2003-11-05 14:42 http://unixfu.net/

arent kiss and apache/sendmail contradictory?

amazed it is still in by default, hey but it is secure cause it is turned off. just dont open door sendmail and door apache in your new house, other than that it is safe.

needs to be re-thunked? but i guess, like i do, if i dont like it, modify my configuration on the server :)

just curious of consistency with default software.

Latest Articles

Thu, Apr 18
- 05:05 Coming soon to a -current system near you: parallel raw IP input (0)
Wed, Apr 17
- 05:33 In -current, default write format for tar(1) changed to "pax" (10)
Wed, Apr 10
- 18:50 OpenSMTPD 7.5.0p0 Released (2)
Tue, Apr 09
- 04:49 20 years since "and we're just starting": undeadly.org turns 20 (2024-04-09) (13)
Fri, Apr 05
- 06:16 OpenBSD 7.5 released (3)
Thu, Mar 28
- 18:18 LibreSSL 3.8.4 and 3.9.1 released (0)
Tue, Mar 12
- 06:53 OpenSSH 9.7/9.7p1 released! (0)
Mon, Mar 11
- 11:28 Game of Trees 0.97 released (0)
Sun, Mar 10
- 09:06 LibreSSL versions 3.8.3 and 3.9.0 released (0)

Credits

Copyright © 2004-2008 Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to April 2nd 2004 as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]